Information breach fallout offers multiple choices

Multiple-choice seems the fitting form to test the most recent allegations of duplicity and incompetence levelled at the Nova Scotia government.

From among the following statements, please identify the egregious failure. The government’s freedom of information/protection of privacy web portal is demonstrably insecure. Once breached and personal information exposed, the government hid that from Nova Scotians, including those at risk. The breach was only discovered by luck. Or finally, given a week to get its story straight, the government didn’t.

An ‘all-the-above’ choice is too obvious. The good news is there’s no wrong answer, but that’s the bad news, too.

For more than a week now, visitors to the province’s online freedom of information, protection of privacy web portal have been greeted by an ugly “system unavailable” message.

Tory House Leader Chris d’Entremont started asking about the failure this week and was underinformed by Internal Services Minister Patricia Arab, who initially said only that there was an “issue” with the site.

Wednesday the government fessed up. By exploiting a vulnerability on the site, someone had gained access to about 7,000 barely protected files, some of which contained such personal data as names, addresses, social insurance numbers, and birthdates of people who have dealings with the province.

Oops.

Halifax police followed the digital tracks and charged a 19-year old kid with the unusual offense of unauthorized use of a computer. That’s pretty much all they had, given that making the government look stupid is not a crime, which is good news for cabinet ministers and columnists.

The government kept the security breach a secret for a week after its discovery – a full month after it had occurred – so as not to impede the work of the police and at the request of the cops, or so it claimed.

Not so, according to the police, who didn’t get the government’s talking point and didn’t seem to care a whit who the government told about its porous web security.

Oops, again.

By Thursday, with the imagined gag order from the police no longer an available excuse, Premier Stephen McNeil and Ms. Arab were saying the breach was kept quiet so the perpetrator wasn’t tipped off, thus containing further distribution of the sensitive personal information.

That story is in a leaky bucket too. The perpetrator already had a month to distribute the information and when the site he had breached was replaced by the stark “system unavailable” message anyone with the savvy to breach its security would know the jig was up.

In addition, the government waited five days to inform its privacy commissioner of the breach.

Questioned in the House Thursday, the minister allowed that the government’s priority was to “contain the situation,” although she quickly corrected herself by adding “contain the information.”

A slip of the lip in the heat of debate can be a misstatement or a tell. Was the goal to contain the damage from the information breach, or contain the political damage? Either objective can be deemed a miss, at this point.

The government maintains that it followed all its protocols but the protocol states that those whose information was compromised should be informed as soon as possible. The government took a different course and has only now begun the process of contacting individuals whose personal information was accessed and downloaded.

This despite the admission from the minister that the “gravity for those impacted is beyond comprehension.” It is, in fact, fully comprehensible by any victim of identity theft.

Ms. Arab’s assurance that her department is working with other departments to track people whose information was disclosed doesn’t offer a big confidence boost either. Anytime more than one government department gets involved, wires get crossed.

Another alarming aspect of this mess is that the province discovered its site had been breached and personal information compromised entirely by accident. A researcher using the site stumbled though the gaping hole in security and raised the flag.

This, of course, raises questions about the security of other highly confidential personal information the province has squirrelled away on its servers and those of the tech companies it contracts. The system breached in this case was a Unisys/CSDC creation.

As for the suspect in the case, don’t be surprised if he has some top legal talent around if the case gets to court. This may be a tasty treat for a lawyer given an opportunity to make the province look goofier than it already does.

If the case doesn’t make it to trial, Nova Scotians will wonder if the government decided against another egg facial.

Jim Vibert, a journalist and writer for longer than he cares to admit, consulted or worked for five Nova Scotia governments. He now keeps a close and critical eye on provincial and regional powers.